[PATCH 1/2 v4] efi_loader: add sha384/512 on certificate revocation
Ilias Apalodimas
ilias.apalodimas at linaro.org
Sat May 7 09:11:41 CEST 2022
Hi Heinrich,
[...]
> > /*
> > @@ -500,7 +528,9 @@ bool efi_signature_verify(struct efi_image_regions *regs,
> > */
> > if (!msg->data &&
> > !efi_hash_regions(regs->reg, regs->num,
> > - (void **)&sinfo->sig->digest, NULL)) {
> > + (void **)&sinfo->sig->digest,
> > + guid_to_sha_str(&efi_guid_sha256),
>
> The UEFI spec knows certificate types like EFI_CERT_X509_SHA512_GUID.
> Why do we assume SHA256 here?
This part is only used for variable authentication. This was using
sha256 only before the patch, but isn't that the only thing the spec
mandates for authenticated variables?
>
> Best regards
>
> Heinrich
>
> > + NULL)) {
> > EFI_PRINT("Digesting an image failed\n");
> > goto out;
> > }
>
More information about the U-Boot
mailing list